Post navigation

Syslog Tutorial

As an administrator of a network, you have just completed all the configuration and they are working nicely. Now maybe the next thing you want to do is to set up something that can alert you when something goes wrong or down in your network. Syslog is an excellent tool for system monitoring and is almost always included in your distribution.

Places to store and display syslog messages

There are some places we can send syslog messages to:

Place to store syslog messages

Command to use

Internal buffer (inside a switch or router)

logging buffered [size]

Syslog server

logging

Flash memory

logging file flash:filename

Nonconsole terminal (VTY connection…)

terminal monitor

Console line

logging console

Note: If sent to a syslog server, messages are sent on UDP port 514.

By default, Cisco routers and switches send log messages to the console. We should use a syslog server to contain our logging messages with the loggingcommand. Syslog server is the most popular place to store logging messages and administrators can easily monitor the wealth of their networks based on the received information.

Syslog syntax

A syslog message has the following format:

seq no:timestamp%FACILTY-SEVERITY-MNEMONIC: message text

Each portion of a syslog message has a specific meaning:
+ Seq no: a sequence number only if the service sequence-numbers global configuration command is configured
+ Timestamp: Date and time of the message or event. This information appears only if the service timestamps global configuration command is configured.
+ FACILITY: This tells the protocol, module, or process that generated the message. Some examples are SYS for the operating system, IF for an interface…
+ SEVERITY: A number from 0 to 7 designating the importance of the action reported. The levels are:

Level

Keyword

Description

0

emergencies

System is unusable

1

alerts

Immediate action is needed

2

critical

Critical conditions exist

3

errors

Error conditions exist

4

warnings

Warning conditions exist

5

notification

Normal, but significant, conditions exist

6

informational

Informational messages

7

debugging

Debugging messages

The highest level is level 0 (emergencies). The lowest level is level 7. To change the minimum severity level that is sent to syslog, use the logging trap levelconfiguration command. If you specify a level, that level and all the higher levels will be displayed. For example, by using the logging console warningscommand, all the logging of emergencies, alerts, critical, errors, warnings will be displayed. Levels 0 through 4 are for events that could seriously impact the device, whereas levels 5 through 7 are for less-important events. By default, syslog servers receive informational messages (level 6).

+ MNEMONIC: A code that identifies the action reported.
+ message text: A plain-text description of the event that triggered the syslog message.

Let’s see an example of the syslog message:

39345: May 22 13:56:35.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down